Augmented reality based privacy and decryption

ABSTRACT

A method, non-transitory computer readable medium and apparatus for decrypting a document are disclosed. For example, the method captures a tag on an encrypted document, transmits the tag to an application server of a communication network to request a per-document decryption key, receives the per-document decryption key if the tag is authenticated, and decrypts a portion of the encrypted document using a temporary decryption key contained in the tag, the tag decrypted with the per-document decryption key.

The present disclosure relates generally to privacy and decryption ofdocuments and, more particularly, to a method, computer readable medium,and apparatus for providing augmented based privacy and decryption.

BACKGROUND

Certain professions require that documents be kept confidential tomaintain privacy of individuals and/or such that only certainindividuals having a certain clearance level will have access to certaindocuments. For example, it may be important in the health care industryto keep patient records confidential. A user may access a website, anelectronic document or a paper-document and may want to make sure thatthe user is the only one able to view the information. In other words,the user may want to ensure that people in the vicinity of the user arenot “spying” as the user is viewing the information. In addition, once aconfidential document has been decrypted and printed, there is noguarantee that the confidential document will not end up or be read byunauthorized personnel.

SUMMARY

In one embodiment, the present disclosure provides a method, computerreadable medium, and apparatus for decrypting a document. For example,the method captures a tag on an encrypted document, transmits the tag toan application server of a communication network to request aper-document decryption key, receives the per-document decryption key ifthe tag is authenticated, and decrypts a portion of the encrypteddocument using a temporary decryption key contained in the tag, the tagdecrypted with the per-document decryption key.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure can be readily understood by considering thefollowing detailed description in conjunction with the accompanyingdrawings, in which:

FIG. 1 illustrates one example of a communication network of the presentdisclosure;

FIG. 2 illustrates an example flowchart of one embodiment of a methodfor decrypting a document;

FIG. 3 illustrates an example flowchart of a second embodiment of amethod for decrypting a document; and

FIG. 4 illustrates a high-level block diagram of a general-purposecomputer suitable for use in performing the functions described herein.

To facilitate understanding, identical reference numerals have beenused, where possible, to designate identical elements that are common tothe figures.

DETAILED DESCRIPTION

The present disclosure broadly discloses a method, non-transitory (i.e.,tangible or physical) computer readable storage medium, and apparatusfor decrypting a document. As noted above, certain professions requirethat documents be kept confidential to maintain privacy of individualsor such that only certain individuals having a certain clearance levelwill have access to certain documents. However, once a document isprinted or published there is no guarantee that it will not end up or beread by unauthorized personnel unless the document is destroyed.

One embodiment of the present disclosure provides augmented realityencryption and decryption such that documents may remain encrypted andonly those with appropriate access may decrypt and view the encrypteddocument. For example, an augmented reality device is used to capture animage, to provide a live view or feed of the encrypted document, todecrypt the image and to present the decrypted document to a userlocally on a display of the augmented reality device, while theencrypted document remains encrypted.

FIG. 1 is a block diagram depicting one example of a communicationnetwork 100. The communication network 100 may be any type ofcommunication network, such as for example, a traditional circuitswitched network (e.g., a public switched telephone network (PSTN)) or apacket network such as an Internet Protocol (IP) network (e.g., an IPMultimedia Subsystem (IMS) network), an asynchronous transfer mode (ATM)network, a wireless network, a cellular network (e.g., 2G, 3G, and thelike), a long term evolution (LTE) network, and the like related to thecurrent disclosure. It should be noted that an IP network is broadlydefined as a network that uses Internet Protocol to exchange datapackets. Additional exemplary IP networks include Voice over IP (VoIP)networks, Service over IP (SoIP) networks, and the like.

In one embodiment, the network 100 may comprise a core network 102. Thecore network 102 may be in communication with one or more accessnetworks 120 and 122. The access networks 120 and 122 may include awireless access network (e.g., a Wireless Fidelity (Wi-Fi) network andthe like), a cellular access network, a PSTN access network, a cableaccess network, a wired access network and the like. In one embodiment,the access networks 120 and 122 may all be different types of accessnetworks, may all be the same type of access network, or some accessnetworks may be the same type of access network and other may bedifferent types of access networks. The core network 102 and the accessnetworks 120 and 122 may be operated by different service providers, thesame service provider or a combination thereof.

In one embodiment, the core network 102 may include an applicationserver (AS) 104 and a database (DB) 106. Although only a single AS 104and a single DB 106 are illustrated, it should be noted that any numberof application servers 104 or databases 106 may be deployed.

In one embodiment, the AS 104 may comprise a general purpose computer asillustrated in FIG. 4 and discussed below. In one embodiment, the DB 106may store personal information of the subscribers of the communicationnetwork 100, such as the subscribers' user identification (uid), publicand private key information, encryption and decryption keys, and thelike. In embodiment, the core network 102 may be operated by acommunication network service provider.

In one embodiment, the access network 120 may be in communication withone or more devices 250 and 110. In one embodiment, the one or moredevices 250 and 110 may be augmented reality (AR) decryption deviceswith each device having an image capturing device 124. In oneembodiment, the image capture device 124 may be used to capture at leasta portion 126 of a document, e.g., displayed by a display device 108,e.g., a screen, a monitor and the like.

In one embodiment, the device 108 may be any device having a displaycapable of displaying an image or printing a document. For example, thedevice 108 may be a mobile device, a laptop, a tablet computer, adesktop computer, a printer, a scanner, a copying machine, and the like.The document may be an electronic document (e.g., a web page on acomputer monitor, an electronic email, a word processing document, aspreadsheet, and the like) displayed by the device 108 or a physicaldocument (e.g., a printed document on paper) produced or printed by thedevice 108.

In one embodiment, the AR device 250 may be a mobile endpoint devicehaving a camera and a display. In another embodiment, the AR device 250may be implemented as a pair of augmented reality glasses having adisplay and a camera with wireless capabilities to communicate with thecommunication network 100.

In yet another embodiment, the AR device 250 may be a combination ofdevices. For example, a mobile endpoint device having a camera or videocamera may be in communication with a pair of augmented realitydecryption glasses if the glasses do not have an image capture device.

In one embodiment, the access network 122 may be in communication withone or more third party service providers 112 and 114. For example, thethird party service providers 112 and 114 may include service providerssuch as, for example, a financial institution, e.g., a bank, a healthcare provider, e.g., a doctor, a hospital, a medical laboratory, and thelike. In one embodiment, the third party service providers 112 and 114may need to provide documents, either physically or electronically, thatare considered to be sensitive or confidential to a user.

It should be noted that the network 100 has been simplified. Forexample, the network 100 may include other network elements (not shown)such as border elements, routers, switches, policy servers, securitydevices, gateways, a content distribution network (CDN) and the like.

FIG. 2 illustrates an example flowchart of one embodiment of a method200 for decrypting a document. In one embodiment, the method 200 may beperformed by the AR device 250 in communication with the communicationnetwork 102 and the third party service provider 112. In one embodiment,the steps, functions, or operations of method 200 may be performed by acomputing device 400 as described in connection with FIG. 4 below.

The method 200 begins at step 202. At step 202, the third party serviceprovider 112 may register with an application server (or any hardwareequivalents or systems) of the communication network service provider252 of a communication network. For example, the third party serviceprovider 112 may be a bank and the communication network serviceprovider 252 may be a cellular communication service provider thatprovides mobile communication services to subscribers and/or operatesthe core network 102.

At step 204, the application server (e.g., AS 104) of the communicationnetwork service provider 252 may generate a master key pair including amaster public key and a master private key and a signature key pairincluding a public signature key and a private signature key. Thecommunication network service provider 252 provides a master public keyand the signature key pair to the third party service provider 112. Thecommunication network service provider 252 may keep the master privatekey and a copy of the public signature key.

In one embodiment, the master key pair is generated only once. In oneembodiment, the signature key pair may be generated for each one of aplurality of different third party service providers (e.g., third partyservice providers 112 and 114). In other words, the signature key pairmay be generated multiple times. The master public key may be a key thatis used to encrypt a temporary key or a short term key that is generatedrandomly by the third party service provider 112. The temporary key orthe short term key may be used to encrypt a document (e.g., eitherphysical or electronic) that will be accessed by a user.

The signature key pair may be used to identify that the document wasfrom a legitimate third party service provider, e.g., the third partyservice provider 112. For example, the private signature key may be usedby the third party service provider 112 to generate a signature for atag and the public signature key may be used by the communicationnetwork service provider 252 to verify that the signature is from thecorrect or legitimate third party service provider.

At step 206, a user of the device 108 may register his or heridentification (ID) with an application server of the third partyservice provider 112. In one embodiment, the ID may be a user IDassociated with the user's subscription to a communication serviceprovided by the communication network service provider 252. In oneembodiment, the user is a subscriber of the communication networkservice provider 252 and the third party service provider 112. Forexample, the user may have a bank account with the third party serviceprovider 112 and is a mobile subscriber of the communication networkservice provider 252.

At step 208, the device 108 may request data and the third party serviceprovider 112 may send encrypted data to the device 108 in response tothe request. For example, the third party service provider 112 mayreceive a request for a confidential or sensitive document, e.g., a bankaccount statement from the device 108. In response, the third partyservice provider 112 may send an encrypted bank statement to the device108.

In one embodiment, the third party service provider 112 may have anauthentication process to ensure that the user requesting the data viathe device 108 is authorized to receive the data. For example, if thethird party service provider 112 is a bank, the user may log in with ausername and password for the user's bank account with the bank toaccess various bank documents or statements. The data sent to the device108 may be encrypted and sent with a signed tag from the third partyservice provider 112.

In one embodiment, the document may be visually encoded by dividing theimage or video frame of the encrypted document into blocks. In oneembodiment, taking into account color and light balance, the image ofthe document should be encoded using a gray scale or colors with enoughseparation between the gray scales or colors so that instead of tryingto identify the actual color (e.g., blue vs. yellow), the device wouldbe able to distinguish between different gray scales or colors (i.e.,color 1 vs. color 2). Although one example was provided above, anyvisual encoding algorithm may be used. Each block may then beindividually encrypted using an advanced encryption standard (AES). Inone embodiment, the encryption may be performed using a random nonce.

In one embodiment, the encryption may be performed by using an n×mmatrix of the blocks. For example, a per-document key K_(doc) can beused to encrypt the matrix block by block. The per-document key may befor example, the temporary key or the short term key described above.The per-document key may be encrypted using the master public key. Inone embodiment, the cell I and column j may be encrypted according to afunction C_(i,j)=[i, j, F_(Kdoc)(i, j) ⊕ M_(i,j)], where F is a blockcipher, such as AES. The above encryption method may use less memory andbe more efficient than other currently used methods of encryption.

In one embodiment, the tag may be signed by a signature of the serviceprovider that is generated with the private signature key, the ID of theuser and a time stamp. In one embodiment, the time stamp may be used toenable “self destruction” of a document. For example, the encrypted datamay only be available for decryption for a predefined time period, e.g.,a 48 hour window, a window of one week, and so on. As an example, if theuser does not decrypt the encrypted document within 48 hours, nodecryption key will be available or issued after the 48 hour time periodand the document may never be decrypted. The time window used above isonly one example and it should be noted that any time window may beused.

At step 210, the AR device 250 may visually capture the signed tag viaan image capturing device, e.g., a camera. At step 212, the AR device250 may send a request for a per-document decryption key to thecommunication network service provider 252 with the signed tag. In oneembodiment, the communication network service provider 252 may performan authentication of the AR device 250. For example, to ensure that auser is not trying to decrypt a document that belongs to anotherindividual (e.g., a user reading over the shoulder of another user), thecommunication network service provider may verify that the ID of theuser matches an ID of the AR device 250 or use a login and password thatis associated with both the AR device 250 and the ID of the user.

If authentication of the AR device 250 is required and the AR device 250is authenticated, the communication network service provider 252 may usethe stored public signature key to ensure that the signature from thesigned tag is from a legitimate third party service provider, e.g., thethird party service provider 112. If so, the communication networkservice provider 252 may use the stored master private key to generate aper-document decryption key that can be used to decrypt the tagcontaining a temporary decryption key to decrypt the encrypted document.

The application server of the communication network service provider 252may also verify that the ID of the user is a subscriber of thecommunication network service provider 252 and that the request wasreceived within the available time window, e.g., 48 hours based uponcomparing the time stamp of the encrypted data and a current time or atime the request was received from the device 108. If the communicationnetwork service provider 252 verifies that the signature, the ID of theuser and the time stamp are correct, the communication network serviceprovider 252 may send the per-document decryption key to the AR device250.

At step 214, the communication network service provider 252 sends theper-document decryption key to the AR device 250. The AR device 250 maythen locally decrypt the tag with the per-document decryption key toobtain the temporary decryption key contained in the tag to decrypt theencrypted document. Any available decryption algorithm may be used todecrypt the encrypted data to decrypt subsets of an entire document. Forexample, a 10 inch by 10 inch document may be segmented such that any 2inch by 2 inch block within the 10 inch by 10 inch document may bedecrypted and presented on a 2 inch by 2 inch display of the device 250.It should be noted that the dimensions above are provided only asexamples and that any sized document may be segmented into any smallersized documents appropriate for display on any sized display of thedevice 250.

To illustrate, the AR device 250 may have an image capturing device 124to capture at least a portion of the encrypted data, e.g., an electronicdocument displayed by the device 108. Using the temporary decryption keycontained in the tag, the AR device 250 may decrypt the portion of theencrypted data that is captured by the image capturing device 124 anddisplay it on a display of the AR device 250. As a result, only a userviewing the display of the AR device 250 (e.g., placing the AR deviceover the device 108) may read a decrypted version of the encrypted data.Notably, the entire decrypted version of the encrypted data would not bedisplayed, but only a subset of the decrypted version of the encrypteddata. In addition, it should be noted that the encrypted data remainsencrypted on the document as displayed on device 108, either physical orelectronic, during decryption.

At step 216, the AR device 250 may “read” or capture the encrypted datafrom the device 108. For example, the AR device 250 may use an imagecapturing device, e.g., a video camera or motion video recorder, to reador capture the encrypted data.

At step 218, the AR device 250 may then perform the decryption using thetemporary decryption key obtained from the tag.

In one embodiment, the method 200 may perform optional step 220. Theoptional step 220 may be performed if the AR device 250 comprisesmultiple devices that are working together as a single AR device 250,e.g., augmented reality glasses and a mobile endpoint device, asillustrated by the AR device 250 in the dashed lines. If the AR device250 comprises multiple devices, at optional step 216, the multiple ARdevices 250 may jointly decrypt the encrypted data using a securecomputation. The method 200 may then end.

FIG. 3 illustrates an example flowchart of one embodiment of a method300 for decrypting a document. In one embodiment, the steps, functions,or operations of the method 300 may be performed by the device 250 or ageneral purpose computer or computing device as described in FIG. 4 anddiscussed below.

The method 300 begins at step 302. At step 304, the method 300 capturesa tag on an encrypted document using an image capture device of anaugmented reality device. In one embodiment, the tag may include asignature, an identification of a user and a time stamp. In oneembodiment, the encrypted document may be received from a third partyservice provider that the user of the augmented reality device is asubscriber of, e.g., a bank sending an encrypted bank statement to theuser. The third party service provider may add the tag to the encrypteddocument (e.g., at a designated part of the document such as at one ofthe corners of the document) before sending the encrypted document tothe augmented reality device.

In one embodiment, the encrypted document may be either a physicaldocument, e.g., a printed document on paper, or an electronic document(or an electronic image of the document) on a display, e.g., an email, aweb page, a word processing document, a spreadsheet document, and thelike.

In one embodiment, the document may be encrypted as an n×m matrix of theblocks. For example, a per-document key K_(doc) can be used to encryptthe matrix block by block. The per-document key may be for example, thetemporary key or the short term key described above. The per-documentkey may be encrypted using the master public key. In one embodiment, thedata at row i and column j, denoted M_(i,j), may be encrypted accordingto a function C_(i,j)=[i, j, F_(Kdoc)(i, j) ⊕ M_(i,j)], where F is ablock cipher, such as AES. The above encryption method may use lessmemory and be more efficient than other currently used methods ofencryption.

In one embodiment, the augmented reality device may be any single deviceor a combination of devices that is capable of capturing an image,communicating over a communication network, either wirelessly or via awired connection, implementing encryption and decryption algorithms andhaving a display. In one embodiment, the augmented reality device may bea mobile end point device, such as for example, a cell phone, a smartphone, a tablet, a net book, a lap top computer, and the like, or a pairof augmented reality glasses having wireless communication capability,an image capturing device and a small personal display within a lens ofthe glasses. In one embodiment, the augmented reality device may be acombination of devices, for example, a mobile endpoint device incommunication with an image capturing device or a pair of augmentedreality glasses only having a display and image capturing device, but nocommunications capability with a communication network.

At step 306, the method 300 transmits the tag to a communication networkservice provider to request a per-document decryption key. In oneembodiment, the tag may be visually captured by the augmented realitydevice from a predefined location of the document and then sent to thecommunication network service provider. In one embodiment, the augmentedreality device that transmits the tag and requests the per-documentdecryption key may be authenticated to prevent unauthorized persons fromobtaining the per-document decryption key, e.g., if the augmentedreality device is stolen within a time period that the per-documentdecryption key is available.

At step 308, the method 300 receives the per-document decryption key ifthe tag is authenticated. In one embodiment, the tag may beauthenticated if the signature is from a legitimate third party serviceprovider, if the ID of the user is a subscriber of the communicationnetwork service provider and the request is received within an availabletime window.

At step 310, the method 300 may decrypt the encrypted document on theaugmented reality device using a temporary decryption key contained inthe tag that is decrypted with the per-document decryption key. Forexample, the encrypted document displayed or produced by the device 108may be decrypted using a temporary decryption key contained in the tagby the augmented reality device. The temporary decryption key may beobtained from the tag that is decrypted using the per-documentdecryption key obtained in step 308.

At step 312, the method 300 may present a decrypted version of theencrypted document on a display of the augmented reality device. In oneembodiment, only a portion of the encrypted document is decrypted anddisplayed at any given time. For example, if the encrypted document is 8inches by 12 inches, the image capturing device on the augmented realitydevice may only capture a 2 inch by 2 inch portion of the encrypteddocument. Thus, only a decrypted version of the 2 inch by 2 inch imagethat is captured would be displayed on the augmented reality device. Itshould be noted that the dimensions provided above are only provided asan example and that any sized document may be used and that imagecapturing device may capture any sized image. The method 300 ends atstep 314.

It should be noted that although not explicitly specified, one or moresteps, operations or blocks of the methods 200 and 300 described abovemay include a storing, displaying and/or outputting step as required fora particular application. In other words, any data, records, fields,and/or intermediate results discussed in the methods can be stored,displayed, and/or outputted to another device as required for aparticular application. Furthermore, steps, operations or blocks inFIGS. 2 and 3 that recite a determining operation, or involve adecision, do not necessarily require that both branches of thedetermining operation be practiced. In other words, one of the branchesof the determining operation can be deemed as an optional step.Furthermore, operations, steps or blocks of the above described methodscan be combined, separated, and/or performed in a different order fromthat described above, without departing from the example embodiments ofthe present disclosure.

FIG. 4 depicts a high-level block diagram of a general-purpose computersuitable for use in performing the functions described herein. Forexample, any one or more components or devices illustrated in FIG. 1 ordescribed in connection with the methods 200 and 300 may be implementedas the system 400. As depicted in FIG. 4, the system 400 comprises ahardware processor element 402 (e.g., a microprocessor, a centralprocessing unit (CPU) and the like), a memory 404, (e.g., random accessmemory (RAM), read only memory (ROM), a disk drive, an optical drive, amagnetic drive, and/or a Universal Serial Bus (USB) drive), a module 405for decrypting a document, and various input/output devices 406, e.g., acamera, a video camera, storage devices, including but not limited to, atape drive, a floppy drive, a hard disk drive or a compact disk drive, areceiver, a transmitter, a speaker, a display, a speech synthesizer, anoutput port, and a user input device (such as a keyboard, a keypad, amouse, and the like).

It should be noted that the present disclosure can be implemented insoftware and/or in a combination of software and hardware, e.g., usingapplication specific integrated circuits (ASIC), a general purposecomputer or any other hardware equivalents, e.g., computer readableinstructions pertaining to the method(s) discussed above can be used toconfigure a hardware processor to perform the steps functions and/oroperations of the above disclosed methods. In one embodiment, thepresent module or process 405 for decrypting a document can beimplemented as computer-executable instructions (e.g., a softwareprogram comprising computer-executable instructions) and loaded intomemory 404 and executed by hardware processor 402 to implement thefunctions as discussed above. As such, the present method 405 fordecrypting a document as discussed above in methods 200 and 300(including associated data structures) of the present disclosure can bestored on a non-transitory (e.g., tangible or physical) computerreadable storage medium, e.g., RAM memory, magnetic or optical drive ordiskette and the like.

It should be noted that the hardware processor can be configured orprogrammed to cause other devices to perform one or more operations asdiscussed above. In other words, the hardware processor may serve thefunction of a central controller directing other devices to perform theone or more operations as discussed above.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. Thus, the breadth and scope of a preferred embodiment shouldnot be limited by any of the above-described exemplary embodiments, butshould be defined only in accordance with the following claims and theirequivalents.

What is claimed is:
 1. A method for decrypting an encrypted document,comprising: capturing, by an augmented reality device, a tag on theencrypted document; transmitting, by the augmented reality device, thetag to an application server of a communication network to request aper-document decryption key; receiving, by the augmented reality device,the per-document decryption key when the tag is authenticated; anddecrypting, by the augmented reality device, a portion of the encrypteddocument using a temporary decryption key contained in the tag, the tagdecrypted with the per-document decryption key.
 2. The method of claim1, wherein the tag comprises a signature, an identification of a userand a time stamp, wherein the signature is generated using a privatesignature key that is issued to a third party service provider by theapplication server of the communication network.
 3. The method of claim1, wherein the encrypted document is visually encoded block by blockusing an n×m matrix.
 4. The method of claim 1, wherein a public masterkey of a master key pair is used to generate and encrypt the temporarydecryption key that is contained in the tag and used to decrypt theencrypted document.
 5. The method of claim 4, wherein the per-documentdecryption key is generated using a private master key of the master keypair.
 6. The method of claim 1, wherein the encrypted document comprisesa printed document.
 7. The method of claim 1, wherein the encrypteddocument comprises an electronic document.
 8. The method of claim 1,wherein the augmented reality device comprises a mobile end pointdevice.
 9. The method of claim 1, wherein the decrypting comprises:presenting a decrypted version of the portion of the encrypted documenton a display of the augmented reality device, wherein the portion of theencrypted document is captured by an image capture device of theaugmented reality device.
 10. A tangible computer-readable mediumstoring a plurality of instructions, which, when executed by a processorof an augmented reality device, cause the processor to performoperations for decrypting an encrypted document, the operationscomprising: capturing a tag on the encrypted document; transmitting thetag to an application server of a communication network to request aper-document decryption key; receiving the per-document decryption keywhen the tag is authenticated; and decrypting a portion of the encrypteddocument using a temporary decryption key contained in the tag, the tagdecrypted with the per-document decryption key.
 11. The tangiblecomputer-readable medium of claim 10, wherein the tag comprises asignature, an identification of a user and a time stamp, wherein thesignature is generated using a private signature key that is issued to athird party service provider by the application server of thecommunication network.
 12. The tangible computer-readable medium ofclaim 10, wherein the encrypted document is visually encoded block byblock using an n×m matrix.
 13. The tangible computer-readable medium ofclaim 10, wherein a public master key of a master key pair is used togenerate and encrypt the temporary decryption key that is contained inthe tag and used to decrypt the encrypted document.
 14. The tangiblecomputer-readable medium of claim 13, wherein the per-documentdecryption key is generated using a private master key of the master keypair.
 15. The tangible computer-readable medium of claim 10, wherein theencrypted document comprises a printed document.
 16. The tangiblecomputer-readable medium of claim 10, wherein the encrypted documentcomprises an electronic document.
 17. The tangible computer-readablemedium of claim 10, wherein the augmented reality device comprises amobile end point device.
 18. The tangible computer-readable medium ofclaim 10, wherein the decrypting comprises: presenting a decryptedversion of the portion of the encrypted document on a display of theaugmented reality device, wherein the portion of the encrypted documentis captured by an image capture device of the augmented reality device.19. An apparatus for decrypting an encrypted document, comprising: aprocessor of an augmented reality device; and a computer-readable mediumstoring a plurality of instructions which, when executed by theprocessor, cause the processor to perform operations, the operationscomprising: capturing a tag on the encrypted document; transmitting thetag to an application server of a communication network to request aper-document decryption key; receiving the per-document decryption keywhen the tag is authenticated; and decrypting a portion of the encrypteddocument using a temporary decryption key contained in the tag, the tagdecrypted with the per-document decryption key.
 20. The apparatus ofclaim 19, wherein the decrypting comprises: presenting a decryptedversion of the portion of the encrypted document on a display of theaugmented reality device, wherein the portion of the encrypted documentis captured by an image capture device of the augmented reality device.